Due to a vulnerability in Reddit, attackers were able to execute moderator activities or elevate normal users to mod status without the necessary authorization. Since Reddit admins have the ability to pin or remove content, block other users, and modify subreddit metadata, the weakness may have allowed for all sorts of mischief.
According to a recent HackerOne report, a bug researcher with the handle 'high ping ninja' discovered that while attempting to access the mod logs using GraphQL, Reddit failed to validate if the user was a moderator of a certain subreddit.
“You can change the parameter subredditName to any target subreddit name which is public or restricted and get access to mod logs of that subreddit,” they explained.
On August 3, an insecure direct object reference (IDOR) flaw was reported and patched on the same day. Insecure direct object references (IDOR) are a form of access control vulnerability that occurs when an application directly accesses objects using user-supplied data.
The word IDOR gained popularity after appearing in the OWASP Top Ten in 2007. It is, however, simply one of several access control implementation errors that can lead to access restrictions being evaded. IDOR vulnerabilities are most often connected with horizontal privilege escalation, although they can also occur with vertical privilege escalation.
“I increased severity to high based on our program policy,” a member of the Reddit triage team said in the disclosure notes.
The researcher received a $5,000 bug reward for his discovery.